Beyond Human Error: Software Bug Led to Flight AI171 Tragedy

See comment at the end of the article on:

DGCA orders fuel control switch inspections on various Boeing aircraft by July 21

The Air India Boeing 787-8 Dreamliner, operating as flight AI171 to London from Ahmedabad, had crashed into a medical college's hostel on June 12, just 32 seconds after taking off. One passenger had miraculously survived, but all the other 241 people on board and 33 on the ground were killed.

Wreckage of AI Boeing 787

A 15-page Preliminary Report dated 11 Jul 2025 has been released by the Aircraft Accident Investigation Bureau of the Ministry of Civil Aviation, Government of India. This has found that fuel to the engines of the Boeing 787 involved in a deadly crash was cut off moments after take-off. 

Sequence Of Events

Here is the sequence of events taken from the report as per the Enhanced Airborne Flight Recorder (EAFR) data:

• 08:08:33 UTC: Aircraft crossed take-off decision speed V1 and achieved 153 kts IAS.
• 08:08:35 UTC: Vr speed (155 kts) achieved as per the EAFR.
• 08:08:39 UTC: Aircraft air/ground sensors transitioned to air mode, consistent with liftoff.
• Ram Air Turbine (RAT) got deployed during the initial climb, immediately after lift-off.
• 08:08:42 UTC: Aircraft achieved maximum recorded airspeed of 180 Knots IAS. 
• Immediately, Engine 1 and Engine 2 fuel cutoff switches transitioned from RUN to CUTOFF position one after another with a time gap of 01 sec. 
• Engine N1 and N2 began to decrease from their take-off values as fuel supply to the engines was cut off.
• One pilot asks the other why did he cutoff. Other pilot responded that he did not do so.
• 08:08:47 UTC: Both engines N2 values passed below minimum idle speed, and RAT hydraulic pump began supplying hydraulic power.
• 08:08:52 UTC: Engine 1 fuel cutoff switch transitioned from CUTOFF to RUN.
• 08:08:54 UTC: APU Inlet Door began opening, consistent with the APU Auto Start logic. 
• 08:08:56 UTC: Engine 2 fuel cutoff switch also transitioned from CUTOFF to RUN. 
• 08:09:05 UTC: One pilot transmitted “MAYDAY MAYDAY MAYDAY”
• 08:09:11 UTC: EAFR recording stopped.

As per the report both fuel control switches were found in the “RUN” position. (fig.13) and that the Ram Air Turbine (RAT) got deployed during initial climb immediately after lift-off (fig.15).

Interpretation of Events

We can reach a very different conclusion about the crash's cause by logically interpreting the events described in the Preliminary Report.

The preliminary report has ignited widespread discussion across social media and news channels, focusing on how both engines' fuel control switches seemingly moved from RUN to CUTOFF, resulting in a sudden loss of thrust.

What actually occurred was a total power failure immediately after lift-off, leading to the automatic deployment of the Ram Air Turbine (RAT). This failure was caused by a software problem - specifically, a known software bug in the 787's power control system that had previously prompted FAA airworthiness directives.

This total power failure caused fuel cutoff to the engines without physically moving the mechanical fuel control switches. The resulting loss of thrust led to a confusing exchange between the pilots, with one asking, "Why did you cut off?" and the other, equally perplexed, replying, "I did not."

In short, a software bug caused a complete power failure, which in turn cut off the fuel supply to the engines, even though the fuel control switches remained in their original positions. The resulting loss of engine thrust confused the pilots, preventing them from taking any corrective action.

Fuel Control Switch

It's impossible for one pilot to manually move the mechanical fuel control switches by lifting each one of them four times (twice for each switch) without the other pilot noticing. Moreover, the critical takeoff phase requires the undivided attention of both pilots, leaving no time for such maneuvers.

 

Fuel Control Switch Operation

To ensure foolproof maintenance, the aircraft maintenance team needs a checklist-based system where a supervisor signs off on each software maintenance task.

The Whitewash Report

The investigative team's conclusion—that both engines' fuel control switches moved from RUN to CUTOFF and then back to RUN—is, in my view, based on a misinterpretation, likely intentional, to save the various companies involved namely, Boeing, Honeywell, and GE which play significant roles in the design and manufacture of the Boeing 787-8 Dreamliner and Tata Group's Air India which operates the Boeing 787 fleet.

Boeing is the primary manufacturer and retains overall design and supply chain responsibility. Honeywell provides crucial systems like flight controls, navigation, and aircraft health management. GE Aviation Systems contributes with systems from takeoff to landing, including the common core system and landing gear.

Software Bug Caused Power Failure

A software problem can cause a total power failure in the Boeing 787-8 Dreamliner, and in fact, it already has. A specific software bug in the power control system of the 787 was publicly acknowledged and led to FAA airworthiness directives.

Confirmed Case: Boeing 787 GCU Software Bug

Problem: A flaw in the Generator Control Unit (GCU) software — specifically an integer overflow bug — could lead to a simultaneous shutdown of all four AC power generators, potentially resulting in total electrical power loss during flight (This includes avionics, displays, flight control systems — unless backups like RAT engage). This was reported in 2015, affecting all Boeing 787 models at the time.

The Technical Glitch (Simplified):

• The GCU software counted system uptime in 32-bit signed integers.
• After ~248 days of continuous power (2^31 milliseconds), the counter overflowed, corrupting power logic.
• This triggered protective shutdown of all power sources, as the system misread the state.
• In flight, this would lead to loss of all main AC power and potentially critical flight control degradation.

FAA Airworthiness Directive (AD 2015-16-51)

• Required airlines to completely power down the aircraft every 120 days

• To prevent the counter from reaching overflow
• Boeing released a software patch to correct the bug
• It was considered a critical safety risk

Power Failure Impact

A total power failure on a Boeing 787 can cause fuel cutoff to the engines without physically moving the mechanical fuel control switches, depending on how the electronic engine control (EEC) and fuel systems respond to the power loss. This is a critical concern under investigation in recent incidents.

Understanding the System

The Boeing 787 uses Full Authority Digital Engine Control (FADEC) systems — a type of Electronic Engine Control (EEC) — to manage engine thrust and fuel flow. FADEC relies on electrical power to function properly.

What Happens in Total Power Loss?

Component	Normal Role	Power Loss Impact
FADEC / EEC	Controls fuel metering, engine start/shutdown, thrust	May shut off fuel flow or command engine shutdown if unpowered
Fuel Shutoff Valve (FSOV)	Electrically actuated valve that stops fuel to engine	May close automatically when power is lost (fail-safe mode)
Engine Fire Switch / Lever	Mechanical override by pilot to cut fuel	Still functional — but not required to be moved if power loss triggers shutdown electronically

Critical Insight

On the Boeing 787, fuel shutoff is electronically controlled via the Engine Interface Units (EIUs) and EECs. If these lose power, fuel can be cut off electronically — even if the pilot has not touched the mechanical levers.

Real-World Relevance — AI171 Investigation

In the Air India Boeing 787 crash (AI171):

• Both engines shut down seconds after takeoff

• Cockpit voice and FDR suggest no pilot action to move fire handles or fuel switches

• Investigators are probing whether:

  • A software glitch or total electrical failure caused auto-fuel cutoff

  • The STAB POS XDCR defect and control system may have interfered with engine logic

  • Engine thrust rollback or FADEC failure contributed to dual flameout

Possibility under review: A power systems software fault or instability caused the EECs to shut down or mis-command fuel cutoff, triggering an un-commanded dual engine failure.

Fail-Safe vs Fail-Deadly

Aircraft systems are designed so that:

• Fail-safe = Engine continues operating if power is lost (ideal)

• But if the fuel valves default to closed when unpowered (for fire protection), and no backup power (RAT or battery) is active yet, both engines can shut down.

This is a known hazard under investigation by NTSB and FAA for power-sensitive FADEC logic.

Summary

• Yes, on the Boeing 787, electrical loss can cut off engine fuel even if mechanical fuel switches are untouched, because fuel metering and shutoff is electronically controlled through FADEC/EEC and powered valves.
• This is precisely why electrical system software bugs or power logic faults are treated as flight-critical risks.

Ram Air Turbine (RAT)

The Ram Air Turbine (RAT) is a backup emergency power source in the Boeing 787. It’s a small propeller that automatically deploys into the airstream to generate hydraulic or electrical power when primary systems fail.

RAT automatically deploys when, there is a complete loss of AC Electrical Power (AC BUS failure). That is if both engine-driven generators and the Auxiliary Power Unit (APU) fail, the RAT automatically deploys to power essential systems.

Flight AI423 Defect

AI423 is the previous flight of this aircraft from New Delhi to Ahmedabad.  From the AAIB’s preliminary report on Flight AI423 (which landed earlier the same day):

• The prior crew logged “STAB POS XDCR” in the technical log (PDR).
• Maintenance troubleshooting followed standardized procedures (using the Fault Isolation Manual), and the aircraft was released for its next flight.

The “STAB POS XDCR” message logged in the Pilot Defect Report stands for a Stabilizer Position Transducer warning.  

• “Stab Pos” refers to the horizontal stabilizer’s position, which controls the aircraft’s pitch trim.
• “XDCR” stands for transducer, a sensor that converts the stabilizer’s mechanical position into an electrical signal for the flight control system.

This message “STAB POS XDCR” indicates that the aircraft detected a fault or invalid reading from the horizontal stabilizer position sensor.

This sensor informs the flight control computers of the stabilizer trim setting—crucial for proper pitch control and safe flight handling. A fault could result in:

• Inaccurate trim information being displayed to pilots
• Potential flight control anomalies if the system relies on faulty data

Summary Table

Component	Role	Issue
Sensor (STAB POS XDCR)	Measures stabilizer angle	Faulty or noisy reading
Software (FCS/Display)	Interprets, validates, displays data	May fail to detect/filter bad data
Result	Trim may appear correct but isn’t	Can affect control, especially on takeoff

Software Related Issues

Boeing 787 Dreamliner has reported the following main software-related issues:

1. Generator Control Unit (GCU) Integer Overflow

• A known software bug in the GCU causes system uptime stored in a signed 32‑bit integer to overflow after ~248 days, triggering simultaneous generator fail-safe mode and potential total electrical shutdown.

• FAA directives require operators to fully power-cycle the aircraft at least every ~51 days to avoid this issue.

2. Autopilot/ILS Localizer Capture Fault

• On approaches, especially in Hong Kong, the autopilot flight-director system sometimes fails to capture runway localizer when intercepting at steep angles (>40°). The aircraft continues off-axis despite indicating “LOC” mode on PFD.

• The FAA issued bulletins and Boeing released a software patch; however airlines like Qatar Airways have reported the patch didn’t fully resolve the issue.

3. VHF Radio Frequency Switch Glitch

• A bug causes unintended switching between active and standby VHF radio frequencies without pilot input, risking missed ATC communications.

• Boeing issued a fix, but airlines including Qatar report the issue persists; regulators are pushing additional Airworthiness Directives.

4. Engine FADEC/Thrust Control Glitch

• A suspected software fault in the FADEC’s Thrust Control Malfunction Accommodation (TCMA) system may erroneously reduce engine thrust in flight, similar to a previous ANA incident.

• This glitch is under active investigation in connection with the recent Air India AI‑171 crash.

Summary Table

Issue	Impact	Status
GCU overflow	Potential power loss mid-flight	Mitigated by frequent reboots
ILS capture fault	Misaligned approaches, increased pilot workload	Fix underway, patch issues reported
VHF radio glitch	Missed ATC communications	Fix issued; reports of persistence
FADEC thrust rollback	Un-commanded thrust reduction	Investigating link to crash

Urgent Need for a Swift Investigation

Typically, the final report for investigations like this can take one to two years to be released. However, this delay means public safety remains dependent on commercial airlines that continue to operate Boeing 787s to maintain their businesses. The Indian government has a moral obligation to the world to conclude this investigation as quickly as possible and prevent another major air catastrophe.

Appendix: Explanation of Terms

APU - Auxiliary Power Unit

A-SMGCS - Advanced Surface Movement Guidance and Control System is a surveillance and alert system used at airports to track and manage aircraft and vehicle movements on the ground in low visibility and high-traffic conditions.

CVR - Cockpit Voice Recorder: The EAFR records audio from the cockpit, including pilot and co-pilot microphones, other crew member communications, and ambient cockpit sounds. 

CPM - Crash-Protected Memory: The recorded data is stored in a crash-protected module, designed to survive a severe accident. 

DFDR - Digital Flight Data Recorder captures a wide range of aircraft parameters like altitude, airspeed, heading, and aircraft attitude, as well as the status of various onboard systems. 

EAFR - Enhanced Airborne Flight Recorder is a type of flight recorder used in aircraft. It combines the functions of a Cockpit Voice Recorder (CVR) and a Digital Flight Data Recorder (DFDR), and can also include data link communication recording and even cockpit imagery. The EAFR records flight crew audio, flight data parameters, and data link messages, storing this information in a crash-protected memory module. 

Golden Chassis - This is simply a clean, functional flight recorder shell used to interface with damaged recorders’ memory modules—critical equipment in recovering flight data after accidents when the original device is compromised.

RAT - Ram Air Turbine is a backup emergency power source. It’s a small propeller that automatically deploys into the airstream to generate hydraulic or electrical power when primary systems fail.

Edited: 15 July 2025 09:15 Dubai Local Time

India Orders Airlines to Check Fuel Switches on Boeing Jets After Deadly Crash
ABC News – July 15, 2025

In my view, the ordered inspection of fuel switches is largely superficial and unlikely to yield meaningful insights.

Predictably, airlines will report that the mechanical fuel switches are functioning as expected, with no faults identified. This outcome risks two serious consequences:

1. It may mislead investigators, pushing the inquiry toward irrelevant or incomplete conclusions.
   
   

2. It may give aircraft operators a false sense of safety, potentially delaying the identification of deeper systemic issues.
   

The inspection focuses solely on the mechanical functionality of the switches — whether they move and operate as designed. However, the more critical issue is whether fuel supply can be electronically interrupted and restored without any corresponding movement of the switches. As I have previously noted, it is likely that an electronic fuel cutoff — not a manual switch movement — triggered the engine shutdowns involved in the crash.

This scenario cannot be verified through routine maintenance checks. It would require in-depth testing of the electronic control systems, including whether fuel shutoff valves respond abnormally to electronic signals under fault conditions.

It is also plausible that faulty sensor inputs triggered a total electrical power failure, as evidenced by the deployment of the Ram Air Turbine (RAT). This, in turn, may have caused the electronic systems to close the fuel valves automatically. Simulating and diagnosing such a scenario requires advanced expertise in avionics, software behavior under fault conditions, and integrated system testing — tasks far beyond the scope of standard airline maintenance protocols.